diff --git a/CVE-2020-11987.patch b/CVE-2020-11987.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a8beb22cd967e92941ab9aeb90ffef8877ad0c19
--- /dev/null
+++ b/CVE-2020-11987.patch
@@ -0,0 +1,27 @@
+From 0ef5b661a1f77772d1110877ea9e0287987098f6 Mon Sep 17 00:00:00 2001
+From: Simon Steiner <ssteiner@apache.org>
+Date: Tue, 2 Jun 2020 13:59:37 +0000
+Subject: [PATCH] BATIK-1284: Dont load DTDs in NodePickerPanel
+
+git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1878396 13f79535-47bb-0310-9956-ffa450edef68
+---
+ .../org/apache/batik/apps/svgbrowser/NodePickerPanel.java   | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java b/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java
+index 2a93e95a43..a5ad8e8b11 100644
+--- a/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java
++++ b/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java
+@@ -847,8 +847,10 @@ private Element parseXml(String xmlString) {
+         Document doc = null;
+         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+         try {
+-            javax.xml.parsers.DocumentBuilder parser = factory
+-                    .newDocumentBuilder();
++            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++            javax.xml.parsers.DocumentBuilder parser = factory.newDocumentBuilder();
+             parser.setErrorHandler(new ErrorHandler() {
+                 public void error(SAXParseException exception)
+                         throws SAXException {
diff --git a/batik.spec b/batik.spec
index 1f04596e1c2672454ef7539de1ffd17ff4a33c99..4117c48794a1e4f9f05a9a7a26dfebeb72be24aa 100644
--- a/batik.spec
+++ b/batik.spec
@@ -1,15 +1,16 @@
 %global classpath batik:rhino:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons:jai_imageio
 Name:           batik
 Version:        1.10
-Release:        4
+Release:        5
 Summary:        Batik is an inline templating engine for CoffeeScript
-License:        Apache-2.0 and W3C
+License:        Apache-2.0 and W3C and MPL-1.1 and GPL-2.0-or-later and Apache-1.1
 URL:            https://xmlgraphics.apache.org/batik/
 Source0:        http://archive.apache.org/dist/xmlgraphics/batik/source/batik-src-%{version}.zip
 Source1:        %{name}-security.policy
 
 Patch1:         0001-Fix-imageio-codec-lookup.patch
 Patch6000:      CVE-2019-17566.patch
+Patch6001:      CVE-2020-11987.patch
 
 BuildArch:      noarch
 
@@ -121,6 +122,9 @@ cp -a samples %{buildroot}/%{_datadir}/%{name}/
 %doc CHANGES MAINTAIN README NOTICE
 
 %changelog
+* Thu Mar 11 2021 wangyue <wangyue92@huawei.com> - 1.10-5
+- fix CVE-2020-11987
+
 * Mon Dec 07 2020 zhanghua <zhanghua40@huawei.com> - 1.10-4
 - fix CVE-2019-17566